Authentication system and apparatus therefor

ABSTRACT

In the case where a prover A proves the validity of a pretender B to a verifier C, B receives an initial response x&#39; created by A, randomizes it with a random component and sends it as x&#34;, and randomizes an inquiry β from C with the random component and sends it as β&#39; to A. A proves, for the received randomized inquiry β&#39;, the validity of B by a secret key s randomized with a random number r and then sends it as a proved response z to B. B removes the random component from the proved response z and sends it as A&#39;s proof to C for verification. B keeps secret the procedures for randomizing the initial response x&#39; and the inquiry, thereby maintaining secret the correlation between A-B interactions (x&#39;, β&#39;, z) nand B-C interactions (x&#34;, β, z&#39;). 
     In the case of proving the validity of a message m of a signature client B to the verifier C by attaching a signature of A to the message m, B receives an initial response x&#39; created by A and randomizes it with a random component to create a randomized response x&#34;, creates a randomized inquiry β&#39; containing a random component by use of the randomized response x&#34; and the message m, and sends the randomized inqiury β&#39; to A. A proves, for the randomized inqiury β&#39;, its validity by a secret key s randomized with a random number r and then sends it as a proved response z to B. B removes the random component from the proved response z to create a derandomized response z&#39;, which is sent to C for verification.

BACKGROUND OF THE INVENTION

The present invention relates to an authentication system and apparatustherefor which permit the implementation of a communication protocol forprotecting the privacy of consumers in an electronic funds transfer orsimilar payment transactions through a telecommunication system.

In recent years there has been popularized settlement of accounts by anelectronic funds transfer or IC card through utilization of atelecommunication system. Furthermore, much study is being given the useof a general-purpose prepaid card or electronic wallet as a substitutefor cash. Once the circulation of funds through such a system is placedunder the control of a particular organization, private information ofconsumers about their propensity to consume, etc. is accumulated orcaptured by the organization--and this poses serious problems from apersonal privacy perspective.

One possible solution to this problem that has been proposed so far is asafe funds transfer system which makes the transfer of fundsuntraceable, as disclosed by David Chaum et al., for example, in U.S.Pat. No. 4,759,063 entitled "Blind Signature System" and in "Securitywithout Identification: Transaction Systems to Make Big BrotherObsolute," Communications of ACM Vol. 28, No. 10, October 1985.

The blind signature system by Chaum et al. may be briefly summarized inthe following outline.

A consumer (a signature client: B) creates a transformed message z byrandomizing, with random numbers, an original message containing thecontents of a transaction such as an amount of money (i.e. blinding theoriginal message) and transmits the transformed message z to a bank (aprover: A). After checking the validity of the consumer B, the bank Awithdraws the specified amount of money from the consumer's account,signs the transformed message z by use of a secret key d correspondingto the withdrawn amount of money and then returns the signed message z'to the consumer B. The consumer B removes the influence of the randomnumbers from the message z' (i.e. unblinds the message z') to obtain avariant m' of the original message m which retains the signature of thebank A, and the consumer B gives it to a shop (verifier: C) as payment.By confirming the signature of the bank A appended to the message m',the shop C judges that the message m' is worth a certain amount ofmoney. Then the shop C receives the corresponding amount of money whensupplying the message m' to the bank A. That is to say, the message m'possesses the function of a note.

Since the message z is created by applying random numbers to theoriginal message m, the bank and a third party cannot link thetransformed message z with the original m, and even if the bank and theshop should conspire, they could not associate the note m' with thetransformed message z. In other words, it is impossible to know whoissued the note m'. Thus, the method proposed by Chaum et al. does notallow the originator (the consumer) of the note m' to be traced back(that is, untraceable), and hence ensures the privacy of the consumersuch as his propensity to consume.

With the above method, however, since the bank A needs only to sign themessage z from the consumer B by direct use of the secret key d, it isinfeasible to completely preclude the possibility of the consumer Bdecoding the signature of the bank A or leading the bank A to reveal thesecret key d. If the consumer B should succeed in acquiring the secretkey d, he could freely create and abuse the signature of the bank A.Accordingly, this blind signature system cannot be said to be absolutelysecure in terms of safety.

SUMMARY OF THE INVENTION

It is therefore an object of the present invention to provide anauthentication system and apparatus which permit the use of the blindsignature scheme but ensure a higher degree of safety.

According to the authentication system of the present invention, in userauthentication for a pretender B to have a prover A authenticate hisidentity to a verifier C, the prover A is provided with an initialresponse generator and a proving device, the pretender B is providedwith a random generator, an initial response randomizer, an inquiryrandomizer, and a derandomizer, and the verifier C is provided with averifying device. The user authentication involves the following steps:

Step 1: The prover A transmits to the pretender B an initial response x'produced by the initial response generator using a random number r.

Step 2: The pretender B inputs the initial response x' received from theprover A and secret random components, produced by the random generator,into the initial response randomizer to create a randomized initialresponse x', which is transmitted to the verifier C.

Step 3: The verifier C transmits an inquiry β to the pretender B.

Step 4: The pretender B inputs the inquiry β received from the verifierC and the previously generated random components into the inquiryrandomizer to produce a randomized inquiry β', which is transmitted tothe prover A.

Step 5: The prover A produces a proved response z corresponding to therandomized inquiry β' by the proving device using a secret key s of hisown and the random number r, and returns the proved response z to thepretender B.

Step 6: The pretender B inputs the proved response z and the previouslygenerated random components into the derandomizer to eliminate theinfluence of the random components to thereby produce a derandomizedproved response z', which is sent to the verifier C.

Step 7: The verifier C inputs the derandomized proved response z' intothe verifying device to check whether the proved response z' is acorrect response to the randomized initial response x" received from thepretender B previously and the inquiry β sent thereto previously.

Steps 1 through 7 may be repeated a plurality of times.

In the above authentication system the correspondence between theinformation (x', β', z) transmitted between the pretender B and theprover A and the information (x", β, z') transmitted between theverifier C and the pretender B is maintained in secrecy by keeping therandom components secret on the part of the pretender B. Thus, in thisuser authentication the prover A can prove to the verifier C that heestablishes the identity of the pretender B without disclosing thepretender's identity. In addition, since the prover A produces theproved response z by randomizing his secret key s with the random numberr, the pretender B cannot steal the secret key s of the prover A. Thusthis authentication system is excellent in safety.

In a message authentication system of the present invention in which thevalidity of a message of a signature client is proved by a prover A to averifier C, the prover A is provided with an initial response generatorand a providing device, the signature client B is provided with a randomgenerator, an initial response randomizer, an inquiry generator, and aderandomizer, and the verifier C is provided with a verifying device.The authentication involves the following steps:

Step 1: The prover A transmits to the signature client B an initialresponse x' produced by the initial response generator using a randomnumber r.

Step 2: The signature client B inputs the initial response x' receivedfrom the prover A and secret random components, produced by the randomgenerator, into the initial response randomizer to create a randomizedinitial response x", and inputs the randomized initial response x" and amessage m to be signed into the inquiry generator to obtain an inquiry βand a randomized inquiry β' produced by randomizing the inquiry β withthe random components. The signature client B sends the randomizedinquiry β' to the prover A.

Step 3: The prover A produces a proved response z corresponding to therandomized inquiry β' by the proving device using a secret key s of hisown and the random number r, and transmits the proved response z to thesignature client B.

Step 4: The signature client B inputs the proved response z and thepreviously generated random components into the derandomizer toeliminate the influence of the random components, thereby creating aderandomized proved response z' corresponding to the message m. Thesignature client B transmits the proved response z' to the verifier C,together with the message m and the inquiry β.

Step 5: The verifier C inputs the derandomized proved response z', themessage m and the inquiry β into the verifying device, thereby checkingwhether the inquiry β and the proved response z' constitute a correctsignature for the message m.

In the above authentication system the correspondence between theinformation (x', β', z) transmitted between the signature client B andthe prover A and the information (m, β, z') transmitted between theverifier C and the signature client B is maintained in secrecy bykeeping the random components secret on the part of the signature clientB. As is the case with the afore-mentioned user authentication system,since the prover A produces the proved response z by randomizing itssecret key s with the random number r, the signature client B cannotsteal the secret key s. Accordingly, this authentication system is alsoexcellent in safety.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a diagram showing the basic procedure of the userauthentication system of the present invention

FIGS. 1A through 1C are block diagrams illustration the basicconstitutions of a prover A, a pretender B and a verifier C for the userauthentication system in FIG. 1;

FIG. 2 is a diagram showing the basic procedure of the messageauthentication system of the present invention

FIGS. 2A through 2C are block diagrams illustrating the basicconstitutions of a prover A, a signature client B and a verifier C forthe message authentication system in FIG. 2;

FIG. 3 is a diagram showing a concrete procedure of the userauthentication system according to a first embodiment of the presentinvention;

FIG. 4 is a diagram showing a concrete procedure of the messageauthentication system according to the first embodiment of the presentinvention;

FIG. 5 is a block diagram illustrating the construction of the prover Afor both the user authentication and the message authentication in thefirst embodiment of the invention;

FIG. 6 is a block diagram illustrating the construction of the pretenderB for the user authentication in the first embodiment of the invention;

FIG. 7 is a block diagram illustrating the construction of the verifierC for the user authentication in the first embodiment of the invention;

FIG. 8 is a block diagram illustrating the construction of the signatureclient B for the message authentication in the first embodiment of theinvention;

FIG. 9 is a block diagram illustrating the construction of the verifierC for the message authentication in the first embodiment of theinvention;

FIG. 10 is a diagram showing a concrete procedure of the userauthentication system according to a second embodiment of the presentinvention;

FIG. 11 is a diagram showing a concrete procedure of the messageauthentication system according to the second embodiment of theinvention;

FIG. 12 is a block diagram illustrating the construction of the prover Afor both the user authentication and the message authentication in thesecond embodiment of the invention;

FIG. 13 is a block diagram illustrating the construction of thepretender B for the user authentication in the second embodiment of theinvention;

FIG. 14 is a block diagram illustrating the construction of the verifierC for the user authentication in the second embodiment of the invention;

FIG. 15 is a block diagram illustrating the construction of thesignature client B for the message authentication in the secondembodiment of the invention;

FIG. 16 is a block diagram illustrating the construction of the verifierC for the message authentication in the second embodiment of theinvention;

FIG. 17 is a diagram showing a concrete procedure of the userauthentication system according to a third embodiment of the presentinvention;

FIG. 18 is a diagram showing a concrete procedure of the messageauthentication system according to the third embodiment of theinvention;

FIG. 19 is a block diagram illustrating the construction of the prover Afor both the user authentication and the message authentication in thethird embodiment of the invention;

FIG. 20 is a block diagram illustrating the construction of thepretender B for the user authentication in the third embodiment of theinvention;

FIG. 21 is a block diagram illustrating the construction of the verifierC for the user authentication in the third embodiment of the invention;

FIG. 22 is a block diagram illustrating the construction of thesignature client B for the message authentication in the thirdembodiment of the invention;

FIG. 23 is a block diagram illustrating the construction of the verifierC for the message authentication in the third embodiment of theinvention;

FIG. 24 is a diagram showing a concrete procedure of the userauthentication system according to a fourth embodiment of the presentinvention;

FIG. 25 is a diagram showing a concrete procedure of the messageauthentication system according to the fourth embodiment of the presentinvention;

FIG. 26 is a block diagram illustrating the construction of the prover Afor both the user authentication and the message authentication in thefourth embodiment of the invention;

FIG. 27 is a block diagram illustrating the construction of thepretender B for the user authentication in the fourth embodiment of theinvention;

FIG. 28 is a block diagram illustrating the construction of the verifierC for the user authentication in the fourth embodiment of the invention;

FIG. 29 is a block diagram illustrating the construction of thesignature client B for the message authentication in the fourthembodiment of the invention; and

FIG. 30 is a block diagram illustrating the construction of the verifierC for the message authentication in the fourth embodiment of theinvention.

DESCRIPTION OF THE PREFERRED EMBODIMENTS

FIG. 1 shows the basic procedure for performing the user authenticationin accordance with the authentication system of the present invention.The prover A, the pretender B, and the verifier C transmit and receiveinformation between them via telecommunication lines. The prover A,identified by 100 in FIG. 1A, includes an initial response generator 110and a proving device 120. The pretender B, identified by 200 in FIG. 1B,includes a random generator 210, an initial response randomizer 215, aninquiry randomizer 220, and a derandomizer 230. The verifier C,identified by 300 in FIG. 1C, includes an inquiry generator 320, and averifying device 330.

The user authentication takes place following such steps as mentionedbelow in conjunction with FIG. 1.

Step 1: The prover A transmits to the pretender B an initial response x'produced by the initial response generator using a random number r.

Step 2: The pretender B inputs the initial response x' received from theprover A and random components, produced by the random generator 210,into the initial response randomizer 215 to create a randomized initialresponse x", which is transmitted to the verifier C.

Step 3: The verifier C creates an inquiry β by the inquiry generator 320and transmits the inquiry β to the pretender B.

Step 4: The pretender B inputs the inquiry β received from the verifierC and the above-mentioned random components into the inquiry randomizer22 to create a randomized inquiry β', which is transmitted to the proverA.

Step 5: The prover A creates a proved response z corresponding to therandomized inquiry β' by the proving device 120 using a secret key s ofits own and the random number r, and returns the proved response z tothe pretender B.

Step 6: The pretender B inputs the proved response z and theafore-mentioned random components into the derandomizer 230, by whichthe influence of the random components applied by the pretender B to theinquiry β in Step 4 is eliminated to obtain a proved response z', whichis transmitted to the verifier C.

Step 7: The verifier C inputs the proved response z' into the verifyingdevice 330, thereby checking whether the proved response z' is a correctresponse to both of the randomized initial response x" previouslyreceived and the inquiry β previously transmitted.

In the above authentication system, since the correspondence between theinformation (x', β', z) transmitted between the pretender B and theprover a and the information (x", β, z') transmitted between theverifier C and the pretender b is maintained in secrecy by keeping therandom components secret on the part of the pretender B, it is possiblefor the prover A to assure the verifier C of the identity of thepretender B without disclosing it. In addition, it has been proved bythe inventors of this application that the pretender B cannot steal thesecret key s from the prover A because the prover A creates the provedresponse z by randomizing the secret key s with the random number r ("AnAbuse of Zero Knowledge Proofs, Measures to Protect It, and ItsApplications," T. Okamoto and K. Ohta, The Proceedings of The 1988Workshop on Cryptography and Information Security, Kobe, Japan, July28-29, 1988 and "Divertible Zero Knowledge Interactive Proofs andCommutative Random Self-Reducibility," T. Okamoto and K. Ohta,Proceedings of Eurocrypt '89, Apr. 10-13, 1989). Accordingly, theauthentication system of the present invention excels, in terms ofsafety, the blind signature system proposed by Chaum et al.

FIG. 2 shows the basic procedure for the message authentication inaccordance with the authentication system of the present invention. Theprover A, the signature client B, and the verifier c transmit andreceive information between them via telecommunication lines. The proverA, identified by 100 in FIG. 2A, includes an initial response generator110 and a proving device 120. This constitution is exactly the same asthat for the user authentification shown in FIG. 1. The signature clientB, identified by 200 in FIG. 2B, includes a random generator 210, aninitial response randomizer 215, an inquiry randomizer 250, and aderandomizer 260. The verifier C, identified by 300 in FIG. 2C, includesa verifying device 340.

The message authentication involves the following steps.

Step 1: The prover A transmits to the signature client B an initialresponse x' produced by the initial response generator 110 using randomnumbers r.

Step 2: The signature client B inputs the initial response x' receivedfrom the prover A and secret random components produced by the randomgenerator 210 into the initial response randomizer 215 to create arandomized initial response x". The randomized initial response x" and amessage m to be signed are input into the inquiry generator 250 toproduce an inquiry β and a randomized inquiry β' created by randomizingthe inquiry β with random numbers. The randomized inquiry β' is sent tothe prover A.

Step 3: The prover A produces, by proving device 120, a proved responsez corresponding to the received randomized inquiry β', using a secretkey s of the prover A and the random numbers r. The proved response z issent to the signature client B.

Step 4: The signature client B inputs the proved response z and theabove-mentioned random components into the derandomizer 260 to eliminatethe influence of the random components applied by the signature client Bto the initial response x' in Step 2, thereby producing a provedresponse z' corresponding to the message m. The message m is sent to theverifier C, along with the inquiry β.

Step 5: The verifier C input the proved response z', the message m, theinquiry β into the verifying device 340, checking whether the inquiry βand the proved response z' constitute a correct signature correspondingto the message m.

In this authentication system the correspondence between the information(x', β', z) transmitted between the signature client B and the prover Aand the information (m, β, z') transmitted between the verifier C andthe signature client B can be maintained in secrecy by keeping therandom components secret on the part of the signature client B. Inaddition, as is the case with the afore-mentioned user authenticationsystem, the prover A creates the proved response z by randomizing withits secret key s, so that the signature client B cannot steal the secretkey s of the prover A. Accordingly, this system is highly safe.

The blind signature system by chaum is not absolutely safe as referredto previously. Moreover, the chaum system is based on the RSAcrypotography of a large amount of computation, and hence poses aproblem in that a large processing capability is needed to obtain asigned response z' from a response z by use of a secret key d (In theafore-mentioned example of the blind signature system a large amountcomputation is imposed on the bank A). In concrete terms, the RSAcryptographic scheme cells for an average of 768 multiplications(including modulo N calculations) of integers of 200 digits.

By the way, a high-speed authentication system has been proposed by Fiatand Shamir (U.S. Pat. No. 4,748,688 issued to Shamir and Fiat, and A.Fiat and A. Shamir, "How to prove yourself: practical solutions toidentification and signature problems," Proceedings of Crypto 86, pp.18-1-18-17 Santa Barbara, August 1986).

With the Fiat-Shamir method, the amount of computation is t(k+2)/2multiplications (including modulo N calculations) on the average (themeanings of k and t described later), and in particular, it isrecommended to select k=5 and t=4. In such a case, the number ofmultiplications needed in the Fiat-Shamir method is 14. Thus, thismethod affords substantial reduction of the computation as compared withthe signature method based on the RSA scheme. In concrete terms, since14/768=0.02, the authentication can be achieved with computation 2% ofthat required by the RSA scheme.

The outline of the Fiat-Shamir method is as follows.

At first, a trusted center creates, by the following procedure, k secretkeys s_(j) (where 1≦j≦k, k being a parameter which determines the degreeof a security and greater than 1) for a user who uses an ID as a proofof his identity. Here, N is information made public and can be expressedas N=P×Q, where P and Q are secret primes. Further f is a one-wayfunction and is made public.

Step 1: x_(j) =f(ID, j)(1≦j≦k) is calculated using the one-way functionf.

Step 2: s_(j) =√x_(j) (mod N) is calculated using the primes factors Pand Q of N for each x_(j). That is, s_(j) ² =s_(j) (mod N).

(Note) In the Fiat-Shamir method, s_(j) =√1/x_(j) (mod N) is employed,though the same result can be obtained even by defining s_(j) asmentioned previously.

Step 3: The center secretly issues k secret keys s_(j) to the user andmakes public the function f and the composite number N.

The computation of the square root in (mod N) can be conducted only whenthe prime factors (P and Q) of N are known. The method therefor isdisclosed in Rabin, M. O., "Digitalized Signatures and Public-KeyFunctions as Intractable as Factorization," Tech. Rep. MIT/LCS/TR-212,MIT, Lab. Comput. Sci., 1979, for example.

The user authentication system is as follows.

A prover A proves, in the following procedure, to a verifier C that heis A.

Step 1: A sends ID to C.

Step 2: C computes information x_(j) =f(ID, j) (1≦j≦k).

Next, the following steps 3-6 are repeated for i=1, . . . , t (t being aparameter which determines the security of the system and has a-valuegreater than 1).

Step 3: A creates a random number r_(i), computes x'_(i) =r₁ ² (mod N)and sends it to C.

Step 4: C creates a of bits (e_(il), . . . , e_(jk)) each of 0 or 1 andsends it to A.

Step 5: A creates a signed message z_(i) b computing ##EQU1##

and sends the signed message z_(i) to C.

Step 6: C checks that ##EQU2##

According to the method of creating z_(i), ##EQU3## so that the verifierC accepts A's proof of identity only when all the t checks aresuccessful.

The probability of the verifier C mistaking a bongus prover for A is1/2^(kt), where k is the number of secret keys s_(j) administered by theprover and t defines the number of communications of the message.

The above is the user authentication system by the Fiat-Shamir methodand the message authentication system can be implemented by modifyingthe above-mentioned procedure as follows.

First k×t bits of f(m, x'₁, . . . , x'_(t)) obtained by applying theone-way function f to a message m and (x'₁, . . . , x'_(t)) are regardedas the bit string (e_(ij)) in the above procedure and (ID, m, (e_(ij)),z₁, . . . , z_(t)) is sent as a signed message to the verifier.

As mentioned above, the Fiat-Shamir method is a high-speedauthentication system, but up to now, there has not been proposed anuntraceable authentication system employing the Fiat-Shamir method.

FIGS. 3 and 4 respectively show procedures for user authentication andmessage authentication in the case of applying the above Fiat-Shamirmethod to the authentication systems of the present invention depictedin FIGS. 1 and 2. FIGS. 5 to 9 illustrate the constitutions of theprover A, the pretender or the signature client B, and the verifier Cfor performing the authentications.

The user authentication in FIG. 3 employs the user authentication systemof the Fiat-Shamir method between the prover A and the pretender B andbetween the pretender B and the verifier C, and implements anuntraceable user authentication system by keeping secret, on the part ofthe pretender B, information which associates the two Fiat-Shamirmethods with each other.

As in the case of the Fiat-Shamir method, a trusted center makes publica composite number N and a one-way function f, computes a secret key swhich corresponds to identifying information ID of the prover A andsatisfies s² (mod N)=x=f(ID), and sends the secret key s to the proverA. Referring now to FIGS. 5 to 7 which illustrate the constitutions 100,200 and 300 of the prover A, the pretender B and the verifier C,respectively, the user authentication procedure will be described inconnection with the case where k=1.

The prover A takes the following procedure to prove the validity of thepretender B to the verifier C.

Step S₁ : The prover A sends identifying information ID to the pretenderB and the verifier C.

Step S₂ : The prover A, the pretender B and the verifier C computeinformation x=f(ID) using one-way functions 105, 205 and 305,respectively. Next, the following steps S₃ to S₆ are repeated t times.

Step S₃ : The prover A generates an initial response x' by an initialresponse generator 110 and sends it to the pretender B.

The initial response generator 110 can be formed by a random generator111 and a modulo calculator 112. A random number r is generated by therandom generator 111 and x' is computed by the modulo calculator usingx'=x·r² (mod N)

Step S₄ : Upon receipt of the initial response x', the pretender Bgenerates a random bit e, which is 0 or 1, and a random number u, bothgenerated by a random generator 210, inputs them into an initialresponse randomizer 215, together with the initial response x' and xcreated by a function generator 205 in advance, thereby computes arandomized initial response x", and sends it to the verifier C.

The Initial response randomizer 215 is formed as a modulo calculator,for example, and computes the randomized initial response x" by x"=u²·x^(-e) ·x'(mod N) based on the received initial response x', xgenerated by the function calculator 205, and random components e and ugenerated by the random generator 210.

Step S₅ : The verifier C stores the randomized initial response x" in aninformation storage 310, creates a random bit β which is 0 or 1 by arandom generator 320, and then sends it as an inquiry to the pretenderB.

Step S₆ : The pretender B inputs the inquiry β and the random bit e,created previously, into an inquiry randomizer 220 to compute arandomized inquiry β', which is sent to the prover A.

The inquiry randomizer 220 is formed by a modulo calculator, forexample, which computes the randomized inquiry β' by

    β'=β+e(mod 2).

The above modulo calculation is equivalent to the exclusive OR of β ande.

Step S₇ : Upon receipt of the randomized inquiry β', the prover A inputsthe random number r, previously created by the random generator 111, andthe randomized inquiry β' into the proving device 120 to compute aproved response z, which is sent to the pretender B.

The proving device 120 is formed by, for example, a secret key storage121 and a modulo calculator 122. The secret key s, which is read out ofthe secret key storage 121, the random number r created by the randomgenerator 111, and the received randomized inquiry β', are provided to amodulo calculator 122, wherein the proved response z is computed by

    z=r·s.sup.β' (mod N).

Step S₈ : Upon receipt of the proved response z, the pretender B appliesthe proved response z, the previously created information x, the inquiryβ and the random components e and u to the derandomizer 230 to compute aproved response z' having removed therefrom the random components. Theproved response z' is sent to the verifier C.

The derandomizer 230 comprises, for instance, a condition checker 231and a modulo calculator 232, and computes the proved response z' by##EQU4## Step S₉ : Upon receipt of the proved response z', the verifierC verifies its validity by use of the verifying device 330.

The verifying device 330 comprises, for example, a modulo calculator 331and a comparator 332, and checks whether or not

    x"=z'.sup.2 ·x.sup.β  (mod N)

holds for x" read out of the information storage 310, x produced by thefunction calculator 305 and β generated by the random generator 320.

In the above the inquiry-response interactions are performedsequentially t times, but they may also be performed at the same time.

Next, the message authentication procedure shown in FIG. 4 will bedescribed with reference to the constitutions 100, 200 and 300 of theprover A, the signature client B and the verifier C depicted in FIGS. 5,8 and 9, respectively.

This procedure employs the use authentication system of the Fiat-Shamirmethod between the prover A and the signature client B and the messageauthentication system of the Fiat-Shamir method between the signatureclient B and the verifier C. An untraceable message authentication canbe implemented by keeping secret, on the part of the signature client B,information which links the two authentication systems.

As is the case with the Fiat-Shamir method, a trusted center makespublic the composite number n and the one-way function f, computes thesecret key s corresponding to the identifying information ID of theprover A, and sends the secret key s to the prover A. The followingdescription will be given of the case where k=1.

The signature client B signs a message m through the aid of the prover Ausing the following procedure.

Step S₁ : The prover A sends the identifying information ID to thesignature client B and the verifier C.

Step S₂ : The prover A, the signature client B and the verifier Ccompute x=f(ID) by use of the one-way function calculators 105, 205 and305, respectively.

Step S₃ : The prover A computes an initial response x' composed of tresponses x'_(i) (i=1, 2, . . . , t) by the initial response generator110 and sends it to the signature client B.

The initial response generator 110 comprises, for example, a randomgenerator 111 and a modulo calculator 112. The random generator 111 isused to generate t random numbers r_(i) and the modulo calculator 112 isused to compute the t responses x'_(i) by

    x'.sub.i =x·r.sub.1.sup.2 (mod N).

The responses x'_(i) thus obtained are sent as the initial response x'to the signature client B.

Step S₄ : Upon receipt of the initial response x', the signature clientB generates t sets of a random bit e_(i), which is 0 or 1, and a randomnumber u_(i) by use of the random generator 210, and inputs theirvalues, the received t responses x'_(i) and the previously created xinto the initial response randomizer 215 to obtain t randomized initialresponses x"_(i), and x"=(x"₁,. . . x"_(t)) is supplied to an inquirygenerator 250.

The initial response randomizer 215 is formed by a modulo calculator,for example. The t sets of e_(i) and u_(i) created by the randomgenerator 210, the received t initial responses x'_(i) and theabove-mentioned x are applied to the initial response randomizer 215,wherein the t randomized initial responses x"_(i) are formed by

    x".sub.i =u.sub.i.sup.2 ·x.sup.-e.sbsp. ·x'.sub.i (mod N) (i=i, 2, . . . ,t).

Step S₅ : The signature client B inputs the message m and the trandomized initial responses x"_(i) i into an inquiry generator 250 tothereby create an inquiry β and a randomized inquiry β' obtained byrandomizing the former with the random component e_(i). The randomizedinquiry β' is transmitted to the prover A and the inquiry β is appliedto a derandomizer 260.

The inquiry generator 250 comprises, for example, a one-way functioncalculator 251 and a modulo calculator 252, by which the inquiry β=(β₁,. . . ,β_(t)) and the randomized inquiry β'=(β'₁, . . . , β'_(t)) arecomposed by β=(β₁,. . . ,β_(t))=f(m, x"₁,. . . x"_(t)) and β'_(i) =β_(i)+e_(i) (mod 2) (i=1,2,. . . ,t).

Step S₆ : Upon receipt of the randomized inquiry β', the prover Acomputes a proved response z, by the proving device 120, from thepreviously generated random numbers r_(i) and the received randomizedinquiry β', and sends the proved response z to the signature client B.

The proving device 120 comprises, for example, a secret key storage 121and a modulo calculator 123. A secret key s read out of the secret keystorage 121, the random number supplied from the random generator 111,and the randomized inquiry β' are applied to the modulo calculator 122,wherein the proved response

    z=(z.sub.1, ... , z.sub.t)

is obtained using a proved response z_(i) calculated by

    z.sub.i =r.sub.i ·s.sup.β' (mod N) (i=1, 2, . . . , t).

Step S₇ : Upon receipt of the proved response z, the signature client Bprovides the proved response z, the previously created information x andthe t sets of random numbers e_(i) and u_(i) to a derandomizer 260,wherein a proved response z' having removed therefrom the influence ofrandom components is computed. The proved response z' thus obtained issent to the verifier C, together with the inquiry β and the message m.

The derandomizer 260 comprises, for example, a condition checker 261 anda modulo calculator 262, by which

    z'=(z'.sub.1,. . . , z'.sub.t)

is obtained using z' _(i) computed by ##EQU5## Step S₈ : The verifier Cchecks the validity of (m, β, z') by use of a verifying device 340.

The verifying device 340 comprises, for example, a modulo calculator341, a one-way function calculator 342, and a comparator 343, by whichx*_(i) is obtained by

    x*.sub.i =z'.sub.i.sup.2 ·x.sub.i.sup.β (mod N)

and it is checked whether or not

    β=f(m, x*.sub.1, . . . x*.sub.t)

holds.

In the authentication systems shown in FIGS. 3 and 4, k=1, andconsequently, the prover A uses only one secret key s. In order toensure the security of the user authentication, in particular, it isnecessary to increase the number of interations t of Steps 3 to 6, sothat the communication efficiency is poor.

FIGS. 10 and 11 illustrate other embodiments of the procedures for theuser authentication and the message authentication of the authenticationsystem of the present invention which utilize the Fiat-Shamir method asin the cases of FIGS. 3 and 4. FIGS. 12 to 16 illustrate theconstitutions of the prover A (100), the pretender signature or theclient B (200) and the verifier C (300). They are identical in basicarrangement with but differ in operation from those shown in FIGS. 5 to9. In addition, the prover A is so designed as to use k secret keyss_(j) (j=1, 2, . . . , k). In the case of k≧2, the security of theauthentication system obtainable with one authentication procedure isparticularly high. A description will be given first, with reference toFIGS. 12, 13 and 14, of the user authentication procedure of FIG. 10 bywhich the prover A proves to the verifier C that he has confirmed theidentity of the pretender B.

As is the case of the Fiat-Shamir method, a trusted center makes publica composite number N and a one-way function f, computes k secret keyss_(j) corresponding to identifying information ID of the prover A, andsends the secret keys s_(j) to the prover A. It must be noted here thatj=1, 2, . . . , k and that s_(j) satisfies s_(j) ² (mod N)=x_(j) =f(ID,j).

The prover A proves the validity of the pretender B to the verifier Cfollowing the following procedure.

Step S₁ : The prover A sends identifying information ID to the pretenderB and the verifier C.

Step S₂ : The pretender B and the verifier C compute information x_(j)=f(ID, j) by using the one-way function generators 205 and 305,respectively. In this instance, j=1, 2, . . . , k. Next, the followingsteps S₃ to S₆ are repeated t times.

Step S₃ : The prover A generates an initial response x' by an initialresponse generator 110 and sends it to the pretender B.

The initial response generator 110 comprises, for example, a randomgenerator 111 and a modulo calculator 112, and generates a random numberr by the random generator 111 and computes x' by the modulo calculator112 by

    x'=r.sup.2 (mod N).

Step S₄ : Upon receipt of the initial response x', the pretender Bapplies k random bits {e_(j) }, each 0 or 1, and a random number u, bothgenerated by a random generator 210, the initial response x' and theafore-mentioned information {x_(j) } to an initial response randomizer215 to compute a randomized initial response x", which is sent to theverifier C.

The initial response randomizer 215 is formed as a modulo calculator,for example, which computes the randomized initial response x" from thereceived initial b response x', the information x_(j), the random bits{e_(j) }, and the random number u by ##EQU6## Step ₅ : Upon receipt ofthe randomized initial response X", the verifier C stores it in aninformation storage 310, then creates k random bits {βj}, each 0 or 1,by a random generator 320, and sends β=(β₁,. . . ,β_(k)) as an inquiryto the pretender B.

Step S₆ : The pretender B inputs the inquiry β and the afore-mentionedrandom bits {e_(j) }into an inquiry randomizer 220 to compute arandomized inquiry β'=(β'₁, . . . , β'_(k)), which is sent to the proverA.

The inquiry randomizer 220 is formed as a modulo calculator, forexample, which computes

    β'.sub.j =β.sub.j +e.sub.j mod 2.

Step S₇ : The prover A inputs the randomized inquiry β' and theafore-mentioned random number r into a proving device 120 to compute aproved response z, which is sent to the pretender B.

The proving device 120 comprises, for example, a secret key storage 121and a modulo calculator 122. k secret keys {s_(j) }, which are read outof the secret key storage 121, the random number r from the initialresponse generator 110, and the received randomized inquiry β' areprovided to the modulo calculator 122 to compute the proved response zby ##EQU7## Step S₈ : The pretender B inputs the proved response z, theafore-mentioned information {x_(j) }, random bits {β_(j) } and {e_(j) }and random number u into a derandomizer 230, by which a proved responsez' free from the influence of random components is computed. The provedresponse z' is sent to the verifier C.

The derandomizer 230 comprises, for example, a condition checker 231 anda modulo calculator 232, by which the proved response z' is computed##EQU8## where C_(j) =β_(j) ·e_(j). Step S₉ : Upon receipt of the provedresponse z', the verifier C verifies its validity by a verifying device330.

The verifying device 330 comprises, for example, a modulo calculator 331and a comparator 332, and checks whether or not ##EQU9## holds for theinitial response x" from the information storage 310, the informationx_(j) from the one-way function calculator 305 and the inquiry β fromthe random generator 320.

While in the above the inquiry-response interactions are performedsequentially t times, they also be conducted at the same time. Further,t may also be 1.

Next, a description will be given, with reference to FIGS. 12, 15 and16, of the message authentication procedure of FIG. 11 in which thesignature client B signs a message m through the aid of the prover A.

As in the case of the Fiat-Shamir method, a trusted center makes publica composite number N and a one-way function f, computes k secret keys{s_(j) } (where j=1, 2, . . . , k) corresponding to the identifyinginformation ID of the prover A, and delivers {s_(j) } to the prover A.Here, s_(j) satisfies s_(j) ² (mod N)=x_(j) =f(ID, j).

The signature client B signs the message m through the aid of the proverA as follows.

Step S₁ : The prover A sends the identifying information ID to thesignature client B and the verifier C.

Step S₂ : The signature client B and the verifier C compute informationx_(j) =f(ID, j) by one-way function calculators 205 and 305,respectively.

Step S₃ : The prover A computes, by an initial response generator 110,x' composed of t initial response x'_(i) (i=1, 2, . . . , t) and sendsit to the signature client B.

The initial response generator 110 comprises, for example, a randomgenerator 111 and a modulo calculator 112. The random generator 111generates t random numbers r_(i) and the modulo calculator 112 computesthe t initial response x'_(i) by

    x'.sub.i =r.sub.i.sup.2 (mod N) for i=1,2,. . . , t.

Step S₄ : Upon receipt of x', the signature client B generates t sets ofk bits {e_(ij) } and random numbers u_(i) by a random generator 210 andinputs their values, the received t initial responses x'_(i) and theafore-mentioned {x_(j) } into an initial response randomizer 215, fromwhich t randomized initial responses x"_(i) are obtained. The signatureclient B provides a randomized initial response x"=(x"₁,. . . , x"_(t))to an inquiry generator 250.

The initial response randomizer 215 is formed by a modulo calculator forexample. The t sets of {e_(ij) } and u_(i) created by the randomgenerator 210, the received t initial responses x'_(i), and x_(j)calculated by the function calculator 205 and input into the initialresponse randomizer 215 to compute the t randomized initial responsesx"_(i) by ##EQU10## for i=1, 2, . . . ,t. Step S₅ : The signature clientB inputs the message m and the t randomized initial responses x"_(i)into an inquiry generator 250, by which an inquiry β and a randomizedinquiry β' are produced. The randomized inquiry β is transmitted to theprover A and the inquiry β is provided to a derandomizer 260.

The inquiry generator 250 comprises, for example, a one-way functioncalculator 251 and a modulo calculator and computes

    β={β.sub.ij } and β'={β'.sub.ij }

from

    {β.sub.ij }=f(m, x".sub.1,. . . , x".sub.t and β'.sub.ij =β.sub.ij +e.sub.ij mod 2 (i=1,2, . . . ,t and j=1, 2, . . . , k)

Step S₆ : Upon receipt of the randomized inquiry β', the prover Acomputes, by a proving device 120, a proved response z from theafore-mentioned random number r_(i) and the received randomized inquiryβ'. The proved response z is sent to the signature client B.

The proving device 120 comprises, for example, a secret key storage 121and a modulo calculator 122. The key secret keys {s_(j) }, which areread out of the secret key storage 121, {r_(i) } from the initialresponse generator 110, and the received randomized inquiry β' are inputinto the modulo calculator 122, from which z=(z₁,. . . , z_(t)) isobtained using z_(i) computed by ##EQU11## Step S₇ : The signatureclient B inputs the proved response z and the afore-mentioned {x_(j) },{β_(ij) } and t sets of ({e _(ij) }, u_(i)) into a derandomizer 260, bywhich a proved response z' free from the influence of random componentis computed. The proved response z' is sent to the verifier C, togetherwith the inquiry β and the message m.

The derandomizer 260 comprises, for example, a condition checker 261 anda modulo calculator 262, by which the proved response z' is obtained

    z'=(z'.sub.1, . . . , z'.sub.t)

using z'_(i) computed by ##EQU12## Step S₈ : Upon receipt of the messagem, the inquiry β and the proved response z', the verifier C checks theirvalidity by a verifying device 240.

The verifying device 340 comprises, for example, a modulo calculator341, a one-way function calculator 342 and a comparator 343, andcomputes

    x*=(x*.sub.1, . . . , x*.sub.t)

from ##EQU13## thereby checking whether or not

    {β.sub.ij }=f(m, x*)

holds.

In the embodiment shown in FIGS. 10 and 11 the use of the k secret keyss_(j) by the prover A provides increased security, and as a result ofthis, the number of interactions t among A, B and C can be decreased,but in the case where t=1, since the power A uses the plural secret keyss_(j), he calls for a large-capacity memory accordingly.

As an authentication system which requires smaller memory capacity forstoring the secret key and is excellent in communication efficiency andhigh speed, an extended Fiat-Shamir scheme has been proposed by thepresent inventors (K. Ohta: "Efficient Identification and SignatureSchemes," Electronics Letters, Vol. 24, No. 2, pp 115-116, 21st Jan. ,1988 and K. Ohta, T. Okamoto: "Practical Extension of Fiat-ShamirSchemes," Electronics Letters, Vol. 24, No. 15, pp. 955-956, 21st Jan. ,1988).

With the extended Fiat-Shamir schemes, the amount of processing is (5l+2)/2 multiplications (including modulo N calculations) on an average.The meaning of l will be described later. Since it is recommended toselect l=20, in particular, the number of multiplications needed in theextended Fiat-Shamir schemes is 51; namely, the amount of processing canbe reduced about 7%, as compared with the amount of processing needed inthe signature scheme employing the RSA scheme.

The outline of the extended Fiat-Shamir schemes is as follows.

A trusted center creates, by the following steps, a secret key s for auser who wears ID as his personal identifying information. Here, N isinformation made public and can be expressed as N=P×Q, where P and Q aresecret primes. L is an integer and f is a one-way function and is madepublic.

Step 1: x=f(ID) is computed using the one-way function f.

Step 2: s which satisfies s^(L) =x(mod N) is computed using the primefactors P and Q of N (that is, s is the L power root of x).

Step 3: The center secretly issues s to the user and makes public theone-way function f and the composite number N.

The user authentication system is as follows.

By the following steps the prover A proves to the verifier C that he isA.

Step 1: The prover A sends ID to the verifier C.

Step 2: The verifier C computes x=f(ID).

The following steps 3 to 6 are repeated t times (t being a parameterwhich defines security and equal to or greater than 1).

Step 3: The prover A creates a random number r, computes x'=r^(L) (modN) and sends it to the verifier C.

Step 4: The verifier C creates an integer e equal to or greater than 0but smaller than L and sends it to the prover A.

Step 5: The prover A creates a signed message z by z=r·s^(e) (mod N) andsends it to the verifier C.

Step 6: The verifier C checks whether or not x'=z^(L) ·x^(-e) (mod N)holds. (x-1 is an inverse element of x in mod N.)

According to the method of creating z, z^(L) ·x^(-e) =r^(L) ·(s^(L)·x⁻¹)^(e) =r^(L) =x'(mod N), so that when the check in Step 6 issuccessful, the verifier C accepts A's proof of identity. Here, theprobability of the verifier C mistaking a false prover for the realprover A is 1/L^(t).

With the extended Fiat-Shamir scheme, even if only one secret key s isused and the steps 3 to 6 are repeated only once, the security can beprovided by a suitable selection of the integer L.

The above is the user authentication system, and the messageauthentication system can be implemented by modifying the aboveprocedure as follows.

The first l bits of f(m, x'), obtained by applying the message m and x'to the one-way function f, are regraded as a binary representation ofthe integer e, and (ID, m, e, z) is transmitted as a signed message tothe verifier.

As described above, the extended Fiat-Shamir scheme is a high-speedauthentication system which affords reduction of the memory capacity forstoring the secret key and is excellent in communication efficiency.Nevertheless, there has been proposed no untraceable authenticationsystem using the extended Fiat-Shamir scheme.

FIGS. 17 and 18 are diagrams respectively illustrating the userauthentication and the message authentication procedure in the case ofapplying the above-described extended Fiat-Shamir scheme to theauthentication systems of the present invention shown in FIGS. 1 and 2.FIGS. 19 to 23 illustrate the arrangements of the prover A (100), thepretender or signature client B (200) and the verifier C (300) forexecuting these authentications. The basic arrangements of the prover A,the pretender or signature client B, and the verifier C are identicalwith those depicted in FIGS. 5 to 9 and 12 to 16. A description will begiven first, with reference to FIGS. 19, 20 and 21, of the userauthentication procedure of FIG. 17 by which the prover A proves to theverifier C that he has established the identity of the pretender B.

As in the case of the extended Fiat-Shamir scheme, a trusted centermakes public the composite number N, the one-way function f, and theinteger L, computes a secret key s corresponding to identifyinginformation ID of the prover A, and delivers the secret key s to theprover A. Here, s satisfies s^(L) (mod N)=x=f(ID).

The prover A proves the validity of the pretender B to the verifier C bythe following procedure.

Step S₁ : The prover A sends ID to the pretender B and the verifier C.

Step S₂ : The pretender B and the verifier C compute information x=f(ID)by one-way function calculators 205 and 305, respectively.

Next, the following steps S₃ to S₆ are repeated t times.

Step S₃ : The prover A generates an initial response x' by an initialresponse generator 110 and sends it to the pretender B.

The initial response generator 110 comprises, for example, a randomgenerator 111 and a modulo calculator 112. The random generator 111generates a random number r, which is applied to the modulo calculator112, wherein x' is computed by

    x'=r.sup.L (mod N).

Step S.sub. : 4 Upon receipt of the initial response x', the pretender bgenerates, by a random generator 210, a random integer e greater than 0but smaller than L and a random number u equal to or greater than 1 butsmaller than N, and inputs the random components e and u, the initialresponse x' and the afore-mentioned information x into an initialresponse randomizer 215 to obtain a randomized initial response x",which is sent to the verifier C.

The initial response randomizer 215 is formed as, for example, a modulocalculator, which computes x" from the received initial response x', theinformation x, the random integer e and the random number u by

    x"=x'·u.sup.L ·x.sup.e (mod N).

Step S₅ : The verifier C stores the received randomized initial responsex" in an information storage 310, and creates, by a random generator320, an integer β greater than 0 but smaller than L, then sends theinteger β as an inquiry to the pretender B.

Step S₆ : The pretender B inputs the and the afore-mentioned integer einto an inquiry randomizer 220 to compute a randomized inquiry β', whichis sent to the prover A. The inquiry randomizer 220 is formed as, forexample, a modulo calculator, by which is computed

    β'=e+β(mod L).

Step S₇ : The prover A inputs the received randomized inquiry β' and theafore-mentioned random number r into a proving device 120 to compute aproved response z, which is sent to the pretender B.

The proving device 120 comprises, for example, a secret key storage 121and a modulo calculator 122. The secret key s read out of the secret keystorage 121, the random number r from the initial response generator 110and the received randomized inquiry β' into the modulo calculator 122,wherein z is computed by

    z=r·s.sup.β' (mod N).

Step S₈ : The pretender B inputs the received proved response z, theaforementioned information x, the inquiry β and the random components eand u into a derandomizer 230 to compute a proved response z' free fromthe influence of random components. The proved response z' is sent tothe verifier C.

The derandomizer 230 comprises, for example, a condition checker 231 anda modulo calculator 232 and computes

    z'=u·z·x.sup.c (mod N)

where

c=1 for e+β≧L

c=0 elsewhere.

Step S₉ : Upon receipt of the proved response z', the verifier C checksits validity by use of a verifying device 330.

The verifying device 330 comprises, for example, a modulo calculator 331and a comparator 332 and checks whether or not

    x"=z'.sup.L ·x.sup.-β (mod N)

holds for the randomized initial response x" supplied from theinformation storage 310, the function supplied from the one-way functioncalculator 305 and the integer β supplied from the random generator 320.

In the above the inquiry-response interactions (Steps S₃ to S₆) aresequentially repeated t times, but they may also be performed at thesame time, with their t components arranged in parallel.

Next, a description will be given, with reference to FIGS. 19, 22 and23, of the message authentication procedure of FIG. 18 by which thesignature client B signs a message m through the aid of the prover A.

This procedure utilizes the user authentication system of the extendedFiat-Shamir scheme between the prover A and the signature client B andthe message authentication system of the extended Fiat-Shamir schemebetween the signature client B and the verifier C. By keeping secret, onthe part of the signature client B, information which links the twoauthentication systems with each other, it is possible to implementuntraceable message authentication processing.

As in the case of the extended Fiat-Shamir scheme, a trusted centermakes public a composite number N, a one-way function f and an integerL, computes a secret key s corresponding to identifying information IDof the prover A, and delivers it to the prover A. As in the above, ssatisfies s^(L) (mod N)=x=f(ID).

By the following procedure the signature client B signs a message mthrough the aid of the prover A.

Step S₁ : The prover A sends ID to the signature client B and theverifier C.

Step S₂ : The signature client B and the verifier C compute informationx =f(ID) by one-way function calculators 205 and 305, respectively.

Step S₃ : The prover A computes, by an initial response generator 110,an initial response x' composed of t initial responses x'_(i) (i=1, 2, .. . , t) and sends it to the signature client B.

The initial response generator 110 comprises, for example, a randomgenerator 111 and a modulo calculator 112. The random generator 111generates t random number r_(i), which are provided to the modulocalculator 112, wherein t initial responses x'_(i) by

    x'.sub.i =r.sub.i.sup.L (mod N) for i=1, 2, . . . , t.

Step S₄ : Upon receipt of the initial response x', the signature clientB generates, by a random generator 210 t sets of e_(i) greater than 0but smaller than L and a random numbers u_(i) greater than 1 but smallerthan N, and inputs their values, the received t initial responses x'_(i)and the afore-mentioned information x into an initial responserandomizer 215 to compute t randomized initial responses x"_(i), whichare provided to an inquiry generator 250.

The initial response randomizer 215 is formed by, for example, a modulocalculator. The t sets of e_(i) and u_(i) generated by the randomgenerator 210, the received t initial responses x'_(i) and theinformation x are applied to the initial response randomizer 215,wherein the t randomized initial responses x"_(i) are computed by

    x".sub.i =u.sub.i.sup.L ·x.spsp.e.sup.i ·x'.sub.i (mod N) for i=1, 2, . . . , t.

Step S₅ : The signature client B inputs the message m and the trandomized initial responses x"_(i) into an inquiry generator 250,wherein an inquiry β and a randomized inquiry β' obtained by randomizingthe former are created. The randomized inquiry β' is transmitted to theprover A and the inquiry β is supplied to a derandomizer 260.

The inquiry generator 250 comprises, for example, a one-way functioncalculator 251 and a modulo calculator 252 and obtains β=(β₁, . . . ,β_(t)) and β'=(β'₁ ', . . . , β'_(t)) by

    (β.sub.1 ', . . . , β.sub.t)=f(m, x".sub.1, . . . , x".sub.t)

    β'.sub.i =e.sub.i +β.sub.i (mod L)

    (i=1, 2, . . . , t).

Here, β'_(i) and β_(i) are integers greater than 0 but smaller than L.

Step S₆ : Upon receipt of the randomized inquiry β', the prover Acomputes, by a proving device 120, a proved response z from theafore-mentioned random number r_(i) and the received inquiry β', andsends it to the signature client B.

The proving device 120 comprises, for example, a secret key storage 121and a modulo calculator 122. The secret key s read out of the secret keystorage 121, the random number r_(i) generated by the random generator111 and the received randomized inquiry β'=(β'₁, . . . , β'_(t)) areapplied to the modulo calculator 122, wherein z_(i) is computed by

    z.sub.i =r.sub.i ·s.sup.β'i (mod N) for i=1, 2, . . . , t.

thereby obtaining z=(z₁, . . . , z_(t)).

Step S₇ : Upon receipt of the proved response z, the signature client Binputs the received proved response z, the afore-mentioned information xand t sets of (e_(i), u_(i) ), and the inquiry β_(i) into a derandomizer260, wherein a proved response z' free from the influence of randomcomponents is computed. The proved response z' is sent to the verifierC, along with the inquiry β and the message m.

The derandomizer 260 comprises, for example, a condition checker 261 anda modulo calculator 252. The proved response z'=(z'₁, . . . , z'_(t)) isobtained by

    z'.sub.i =u.sub.i z.sub.i x.sup.c.sbsp.i (mod N)

where c_(i) =1 for e_(i) +β_(i) ≧1

c_(i) =0 elsewhere.

Step S₈ : Upon receipt of the message m, the inquiry β and the provedresponse z', the verifier C checks their validity by a verifying device34.

The verifying device 340 comprises, for example, a modulo calculator341, a one-way function calculator 342 and a comparator 343. x*=(x*₁, .. . , x*_(t)) is obtained by

    x*.sub.i =z'.sub.i.sup.L ·x.sup.-β.sbsp.i (i mod N)

thereby checking whether

    β=f(m, x*)

holds.

The above is the untraceable authentication systems based on theextended Fiat-Shamir scheme. The Fiat-Shamir scheme and the extendedFiat-Shamir scheme are based on the fact that when the factorization ofN into prime factors is difficult, the calculation of the square root in(mod N) and the calculation of the L power root in (mod N) aredifficult. Accordingly, if an efficient method for factorization intoprime factors should be discovered, the security of the blind signaturesystems based on these schemes could be endangered. On the other hand,an authentication scheme which utilizes difficulty of a discretelogarithm problem would be still secure, even if an efficient method forfactorization into prime factors should be discovered, and this schemeis applicable to the authentication system of the present invention asis the case with the above-described Fiat-Shamir scheme and extendedFiat-Shamir scheme. The authentication scheme based on the discretelogarithm problem is discussed in M. Tompa and H. Woll, "RandomSelf-Reducibility and Zero Knowledge Interactive Proofs of Possession ofInformation," FOCS, pp. 472-482 (1987) and T. Okamoto and K. Ohta, "Anabuse of Zero Knowledge Proofs, Measures to Protect It, and ItsApplications," The proceedings of the 1988 Workshop Cryptography andInformation Security, Kobe, Japan, July 28-29 , 19888, for example.

FIGS. 24 and 25 are diagrams respectively illustrating the userauthentication and the message authentication procedure in the case ofapplying the difficulty of the discrete logarithm problem to theauthentication systems of the present invention shown in FIGS. 1 and 2.FIGS. 26 to 30 illustrate the constitutions of the prover A (100), thepretender or signature client B (200) and the verifier C (300) for theauthentications. Their basic constitutions are identical with those inthe embodiments described above. A description will be given first, withreference to FIGS. 26 , 27 and 28, of the user authentication procedureof FIG. 24 by which the prover A proves to the verifier C that he hasestablished the identity of the pretender B.

A trusted center makes public a prime P and an integer g. By thefollowing procedure the prover A proves the validity of the pretender Bto the verifier C. Let it be assumed here that the prover A holds, forpublic information x, a secret key s which satisfies x=g^(s) (mod P).

Step S₁ : The prover A sends the public information x to the pretender Band the verifier C.

Step S₂ : The prover A creates an initial response x' by an initialresponse generator 110 and sends it to the pretender B.

The initial response generator 110 comprises, for example, a randomgenerator 111 and a modulo calculator 112. A random number r (0≦r≦P-2)generated by the random generator 111 and the public numbers g and P areprovided to the modulo calculator 112, wherein the following computationis conducted:

    x'=g.sup.r (mod P).

Step S₃ : Upon receipt of the initial response x', the pretender Binputs a random bit e which is 0 or 1 and a random number u (0≦u≦P-2),both generated by a random generator 210, the received initial responsex', the public information x, and the public numbers g and P into aninitial response randomizer 215, wherein a randomized initial responsex" is computed. The randomized initial response x" thus obtained is sentto the verifier C.

The initial response randomizer 215 is formed as, for example, a modulocalculator, which computes the expression:

    x"=g.sup.u ·x.sup.e ·x'.sup.1-2e (mod P).

Step S₄ : Upon receipt of the randomized initial response x", theverifier C stores it in an information storage 310, generates a randomnumber β by a random generator 320, and transmits it as an inquiry tothe pretender B.

Step S₅ : Upon receipt of the inquiry β, the pretender B inputs it andthe afore-mentioned random bit e into an inquiry randomizer 220, whereina randomized inquiry β'is computed. The randomized inquiry thus obtainedis sent to the prover A.

The inquiry randomizer 220 is formed by, for example, a modulocalculator, which computes the following expression:

    β'=e+βmod 2.

Step S₆ : Upon receipt of the randomized inquiry β', the prover A inputsthe afore-mentioned random number r, the public number P, and thereceived randomized inquiry β' into a proving device 120, wherein aproved response z is computed. The proved response z thus obtained isreturned to the pretender B.

The proving device 120 comprises, for example a secret key storage 121and a modulo calculator 122. A secret key s read out of the secret keystorage 121, the random number r from the random generator 111, thepublic number P, and the randomized inquiry β' are input into the modulocalculator 122, wherein the proved response z is computed by thefollowing expression:

    z=r-β' s(mod P-1)

Step S₇ : Upon receipt of the proved response z, the pretender B inputsit, the public number P, the random bit e, and the random number u intoa derandomizer 230, wherein a proved response z' free from the influenceof random components is computed. The proved response z' thus obtainedis sent to the verifier C.

The derandomizer 230 is formed by, for example, a modulo calculator,which computes the proved response z' by the following expression:

    z'=u+z.sup.1-2e (mod P-1).

Step S₈ : Upon receipt of the proved response z', the verifier C checksits validity by a verifying device 330.

The verifying device 330 comprises, for example, a modulo calculator 331and a comparator 332. The modulo calculator 331 computes x* from thepublic numbers g and P, the public information x and the random number βfrom the random generator 320 by the following expression:

    x*=g.sup.z' ·x (mod P-1).

The comparator 332 compares the x* and the initial response x" read outof the information storage 310, thus checking whether or not x"=x*holds.

In this embodiment the random number r in the expression in Step S₂, forexample, can be considered as a logarithm of x' with g as its base, butin general, even if x' is known, it is difficult to solve its logarithm.That is to say, this embodiment utilizes the difficulty in solving adiscrete logarithm.

Next, a description will be given, with reference to FIGS. 26, 29 and30, of the message authentication procedure of FIG. 25 by which thesignature client B signs a message m through the aid of the prover A.

A trusted center makes public an integer g and a prime P. The signatureclient B signs the message m by the aid of the prover A in the followingmanner.

Step S₁ : The prover A sends public information x to the signatureclient B and the verifier C.

Step S₂ : The prover A computes, by an initial response generator 110,an initial response x' composed of x₁, x₂, . . . , x_(t), and sends itto the signature client B.

The prover A is identical in construction with that of the prover A inthe user authentication shown in FIG. 26, but the random generator 111generates t random numbers r_(i) (i=1, 2, . . . , t; 0≦r_(i) <P-2) andthe random calculator 112 computes the t initial responses x'_(i) (i=1,2, . . . , t) by the following expression:

    x'.sub.i =.sup.r g i (mod P).

Step S₃ : Upon receipt of the initial response x', the signature clientB generates t sets of random numbers e_(i) and u_(i) by a randomgenerator 210. Each set of random numbers, the public number P, thepublic information x, and each of the received initial responses x"_(i)are provided to an initial response randomizer 215, wherein t randomizedinitial responses x"_(i) are computed. The t randomized initialresponses x"_(i) thus obtained are provided to an inquiry generator 250.

The initial response randomizer 250 is formed by a modulo calculator,which computes t randomized initial responses x"_(i) from the t sets ofrandom numbers e_(i) and u_(i), the received t initial responses x'_(i),the public information x, and the public number P by the followingexpression:

    x".sub.i =g.sup.u.sbsp.i ·x.sup.e.sbsp.i ·x'.sub.i .sup.1-2e.sbsp.i (mod P).

Step S₄ : The signature client B further provides the message m, the trandomized initial responses x"_(i) and the t random numbers e_(i) tothe inquiry generator 250 to create an inquiry β and a randomizedinquiry β' produced by randomizing the former. The randomized inquiry β'thus obtained is sent to the prover A.

The inquiry generator 250 comprises a one-way function calculator 251and a modulo calculator 252, and computes β and β' by the followingexpressions:

    β=(β.sub.1, . . . , β.sub.t)=f(m, x".sub.1, . . . , x".sub.t)

    β'.sub.i =e.sub.i +β.sub.i mod 2, β'=(β'.sub.1, . . . , β'.sub.t)

Step S₅ : Upon receipt of the randomized inquiry β', the prover Acomputes, by a proving device 120, a proved response z from theafore-mentioned random number r_(i) and the received randomized inquiryβ'. The proved response z thus obtained is sent to the signature clientB.

The proving device 120 comprises, for example, a secret key storage 121and a modulo calculator 122. The secret key s read out of the secret keystorage 121, the random number r_(i) generated by the random generator111 previously, the received randomized inquiry β', and the publicnumber P are provided to the modulo calculator 122, wherein the provedresponse z is computed by the following expression:

    z.sub.i =r.sub.i =β'.sub.i s(mod P-1)

    z=(z.sub.1, . . . , z.sub.t)

Step S₆ : Upon receipt of the proved response z, the signature client Bprovides it and the t sets of random numbers (e_(i), u_(i) ) to aderandomizer 260, wherein a proved response z' free from the influenceof random components is computed. The proved response z' thus obtainedis sent to the verifier C, together with the initial inquiry β and themessage m.

The derandomizer 260 is formed by, for example, a modulo calculator 262,which computes z'_(i) by the following expression:

    z'.sub.i =u.sub.i +z.sub.i.sup.1-2e (mod P-1)

    z'=(z'.sub.1, . . . , z'.sub.t)

Step S₇ : Upon receipt of the message m, the initial inquiry β and theproved response z', the verifier C checks their validity by a verifyingdevice 340.

The verifying device 340 comprises, for example, modulo calculator 341,a one-way function calculator 342, and a comparator 343. The modulocalculator 341 computes x* from the received proved response z', theinitial inquiry β, the public information x, and the public numbers gand P by the following expression:

    x*.sub.i =g.spsp.z'hu i·x.sup.β.sbsp.i (mod P)

    x*=(x*.sub.1, . . . , X*.sub.t).

The one-way function calculator 342 computes e* from the receivedmessage m and the above calculated x* by the following expression:

    e*=f(m, x*).

The comparator 343 checks whether or not e* thus computed agrees withthe received initial inquiry β.

In all of the embodiments described above in conjunction with FIGS. 3 to9, 10 to 16, and 17 to 23, the information x is computed by applying thepersonal identifying information ID of the prover A to the one-wayfunction f. However, since the one-way function f is public and sincethe personal identifying information ID is also essentially public, theinformation x can also be regarded as being substantially public.Accordingly, it is also possible to employ a method in which the centeror prover A makes public the information x and the pretender orsignature client B and the verifier C directly use the publicinformation x without computing it by use of the one-way function f instep S₂ in the embodiments of each authentication system.

For example, in the embodiment shown in FIGS. 5 to 9, the prover device100 in FIG. 5 can be used for both of the user authentication and themessage authentication by the present invention. The pretender device200 in the case of the user authentication shown in FIG. 6 is alsosubstantially common to the signature client device 200 for the messageauthentication shown in FIG. 8. The same is true of the verifier devices300 depicted in FIGS. 7 and 9. Accordingly, in the practice of theauthentication system of the present invention, even if the proverdevice 100, the pretender or signature client device 200 and theverifier device 300 are designed so that they can be used for both ofthe user authentication and the message authentication, the scale of theapparatus will not become so large. The above is true of the embodimentsof FIGS. 12 to 16, 19 to 23 and 26 to 30.

As described above, according to the present invention, the prover Acreates the proved response z by randomizing his secret key s with arandom number, and this prevents the pretender or signature client Bfrom stealing the secret key s from the prover A, providing increasedsecurity of the authentication system.

The pretender or signature client B provides the relationship betweenthe inquiries β and β' and the relationship between the proved responsesz and z' in forms of secret random numbers, respectively. By keepingthese relationships secret, the relationships between the datatransmitted between the prover A and the pretender or signature client Band the data transmitted between the pretender or signature client B andthe verifier C can be concealed. That is, in the user authentication theprover A can prove to the verifier C that he establishes the identity ofthe pretender B with out disclosing the B's identity. In the messageauthentication the signature client B can have the prover A sign themessage m without allowing its contents to become known. As a result ofthis, even if the prover A and the verifier C should conspire, theycould not know the identity of the pretender or signature client B nordetect the transmission of the message m from the pretender or signatureclient B. Thus untraceable authentication processing can be implemented.

By satisfying the zero knowledge interactive proof system property andnon-transferability which are the results of theoretical studies on thecomputational complexity theory, the system of the present inventionensures that even if the prover A and the verifier C conspire, theycould not know who the pretender or signature client B is and who theoriginator of the message m is.

As for the zero knowledge interactive proof system property andnon-transferability, see, Feige, U. and Fiat, A. and Shamir, A., "ZeroKnowledge Proofs of Identity," Proceedings of the 19th Annual ACMSymposium on Theory of Computing, pp. 210-217, 1987, for instance.

It will be apparent that many modifications and variations may beeffected without departing from the scope of the novel concepts of thepresent invention.

What is claimed is:
 1. An authentication system in which a prover A, a pretender B and a verifier C participate as the parties concerned, said system comprising the steps of:Step 1: said prover A creates an initial response x' by use of at least a random number r and sends it to said pretender B; Step 2: said pretender B generates random components, creates a randomized initial response x" by randomizing said initial response x' received from said prover A with at least said random component, and sends it to said verifier C; Step 3: said verifier C creates and sends an inquiry β to said pretender B; Step 4: said pretender B creates a randomized inquiry β' by randomizing said inquiry β received from said verifier C with at least said random component, and sends it to said prover A; Step 5: said prover A computes a proved response z corresponding to said randomized inquiry β' from at least a secret key s, said random number r and said randomized inquiry β', and sends it to said pretender B; Step 6: said pretender B computes a derandomized proved response z' by use of at least said proved response z and said random component, and sends it to said verifier C; and Step 7: said verifier C checks whether or not said derandomized proved response z' is a correct response to said randomized initial inquiry x" and said inquiry β;wherein the relationship between information (x', β', z) transmitted between said pretender B and said prover A and information (x", β, z') transmitted between said verifier C and said pretender B is held secret by keeping said random component secret on the part of the pretender B.
 2. An authentication system in which a prover A, a signature client B and a verifier C participate as the parties concerned, said system comprising the steps of:Step 1: said prover A creates an initial response x' by use of at least a random number r and sends it to said signature client B; Step 2: said signature client B generates random components and creates a randomized initial response x" by randomizing said initial response x' received from said prover A with at least said random component; Step 3: said signature client B creates an inquiry β through computation from said randomized initial response x" and a message m and computes a randomized inquiry β' by randomizing said inquiry β with said random component, and sends the latter to said prover A; Step 4: said prover A creates a proved response z corresponding to said randomized inquiry β β' by use of at least a secret key s, said random number r and said randomized inquiry β', and sends it to said signature client B; Step 5: said signature client B computes a derandomized proved response z' by use of at least said proved response z and said random components, and sends said message m, said inquiry β and said derandomized proved response z' to said verifier C; and Step 6: said verifier C checks whether or not said derandomized proved response z' and said inquiry β constitute a correct signature for said message m;wherein the relationship between information (x', β', z) transmitted between said signature client B and said prover A and information (m, β, z') transmitted between said verifier C and said signature client B is held secret by keeping said random components secret on the part of said signature client B.
 3. The authentication system of claim 1 wherein in said step 1 said prover A computes said initial response x' by a modulo calculation using said random number r and public information x;wherein in said step 2 said pretender B computes said randomized initial response x" by a modulo calculation using said initial response x', said random components and said public information x; wherein in said step 4 said pretender B computes said randomized inquiry β' by a modulo calculation using said inquiry β and said random components; wherein in said step 5 said prover A computes said proved response z by a modulo calculation using said random number r, said randomized inquiry β' and said secret key s, said secret key s satisfying s² mod N=x, N being a public number which is the product of at least two secret primes; wherein in said step 6 said pretender B computes said derandomized proved response z' by a modulo calculation using at least said proved response z, said random components and said public information x; and wherein in said step 7 said verifier C makes said check by determining whether or not said randomized initial response x" received from said pretender B matches with a value obtained by a modulo calculation from said derandomized proved response z', said inquiry β and said public information x.
 4. The authentication system of claim 2, wherein in said step 1 said prover A computes said initial response x' by a modulo calculation using said random number r and public information x;wherein in said step 2 said signature client B computes said randomized initial response x" by a modulo calculation using said random components, said initial response x' and said public information x; wherein in said step 3 said signature client B computes said randomized inquiry β' by a modulo calculation using said random components and said inquiry β; wherein in said step 4 said prover A computes said proved response z by a modulo calculation using said random number r, said randomized inquiry β' and said secret key s, said secret key s satisfying s² mod N=x, N being a public number which is the product of at least two secret primes; wherein in said step 5 said signature client B computes said derandomized proved response z' by a modulo calculation using at least said proved response z, said random components and said public information x; and wherein in said step 6 said verifier C performs a modulo calculation for said derandomized proved response z', said inquiry β and said public information x to obtain a value x* and makes said check by determining whether or not information β*=f(m, x*), obtained from said value x* and said message m by an operation using a one-way function f, matches with said inquiry β received from said signature client B.
 5. The authentication system of claim 1, wherein in said step 1 said prover A computes said initial response x' from said random number r through a modulo calculation;wherein in said step 2 said pretender B computes said randomized initial response x" from said initial response x', said random components and k pieces of public information x_(j) through a modulo calculation, where j=1, 2, . . . , k, k being an integer equal to or greater than 2; wherein in said step 4 said pretender B computes said randomized inquiry β' from said random components and said inquiry β through a modulo calculation; wherein in said step 5 said prover A computes said proved response z from said random number r, said randomized inquiry β' and k secret keys s_(j) through a modulo calculation, each of said secret keys s_(j) satisfying s_(j) ² mod N=x_(j), N being a public number which is the product of at least two secret primes; wherein in said step 6 said pretender B computes said derandomized proved response z' from said proved response z, said random components, said inquiry β and said k pieces of public information x_(j) through a modulo calculation; and wherein in said step 7 said verifier C makes said check by determining whether or not a value obtained by a modulo calculation from said derandomized proved response z', said inquiry β and said k pieces of public information x_(j) matches with said randomized initial response x" received from said pretender B.
 6. The authentication system of claim 2, wherein in said step 1 said prover A computes, by modulo calculation, t initial responses x'_(i) from t random numbers r_(i) where t is an integer greater than 1, and i=1, 2, . . . , t;wherein in said step 2 said signature client B computes, by modulo calculation, t randomized initial responses x"_(i) from said t initial responses x'_(i), said random components and k pieces of public information x_(j) where i=1, 2, . . . , t, k is an integer equal to or greater than 2 and j=1, 2, . . . , k; wherein in said step 3 said signature client B computes t inquiries β_(ij) from β_(ij) =f(m, x") using said t initial inquiries x"_(i) and said message m and creates, by modulo calculation, t randomized inquiries β'_(ij) from said t inquiries β_(ij) and said random components, f being a one-way function; wherein in said step 4 said prover A creates, by modulo calculation, t proved responses z_(i) from said t random numbers r_(i), said t randomized inquiries β'_(ij) and k secret keys s_(j), said secret keys s_(j) satisfying s_(j) ² mod N=x_(j), N being a public number which is the product of at least two secret primes; wherein in said step 5 said signature client B creates, by modulo calculation, t derandomized proved responses z'_(i) from said t inquiries β_(ij), said random components, said t proved responses z_(i) and said k pieces of public information x_(j) ; and wherein in said step 6 said verifier C performs modulo calculations for said t derandomized proved responses z'_(i), said t inquiries β_(ij) and said k pieces of public information x_(j) to obtain t values x*_(i) and makes said check by determining whether or not information f(m, x*_(i)), obtained from said t values x*_(i) and said message m by an operation using said one-way function, each match with the corresponding one of said t inquiries β_(ij).
 7. The authentication system of claim 1, wherein in said step 1 said prover A computes said initial response x' by a modulo calculation of the Lth power of said random number r;wherein in said step 2 said pretender B computes, by a modulo calculation, said randomized initial response x" from said initial response x', said random components and public information x; wherein in said step 4 said pretender B computes, by a modulo calculation, said randomized inquiry β' from said inquiry β and said random components; wherein in said step 5 said prover A computes, by a modulo calculation, said proved response z from said random number r, said randomized inquiry β' and said secret key s, said secret key s satisfying s^(L) mod N=x, N being a public number that is the product of at least two secret primes; wherein in said step 6 said pretender B computes, by a modulo calculation, said derandomized proved response z' from said proved response z, said random components, said inquiry β and said public information x; and wherein in said step 7 said verifier C makes said check by determining whether or not a value, obtained by a modulo calculation from said derandomized proved response z', said inquiry β and said public information x, matches with said randomized initial response x" received from said pretender B.
 8. The authentication system of claim 2, wherein in said step 1 said prover A computes, by a modulo calculation, t initial responses x'_(i) by modulo calculation of the Lth power of said random numbers r_(i), where t is an integer greater than 1 and i=1, 2, . . . , t;wherein in said step 2 said signature client B computes, by a modulo calculation, t randomized initial responses x"_(i) from said t initial responses x'_(i), said random components and public information x; wherein in said step 3 said signature client B computes, by β_(i) =f(m, x"_(i)), t inquiries β_(i) from said t randomized initial responses x"_(i) and said message m and creates, by a modulo calculation, t randomized inquiries β'_(i) from said inquiries β_(i) and said random components, f being a one-way function; wherein in said step 4 said prover A creates, by a modulo calculation, t proved responses z_(i) from said t randomized inquiries β'_(i) and said secret key s, said secret key s satisfying s^(L) mod N=x, N being a public number that is the product of at least two secret primes; wherein in said step 5 said signature client B creates, by a modulo calculation, t derandomized proved responses z'_(i) from said t proved responses z_(i), said random components, said t inquiries β_(i) and said public information x; and wherein in said step 6 said verifier C performs a modulo calculation for said t derandomized proved responses z'_(i), said t inquiries β_(i) and said public information x to obtain t values x*_(i) and makes said check by determining whether or not information f(m, x*), obtained by applying said message m and said t values x*_(i) to said one-way function f, each matches with the corresponding one of said t inquiries β_(i).
 9. The authentication system of claim 1, wherein in said step 1 said prover A computes, by a modulo calculation, said initial response x' from the rth power, r being said random number, of a public number g;wherein in said step 2 said pretender B computes, by a modulo calculation, said randomized initial response x" from said initial response x', said random components, public information x and said public number g; wherein in said step 4 said pretender B computes, by a modulo calculation, said randomized inquiry β' from said inquiry β and said random components; wherein in said step 5 said prover A computes, by a modulo calculation, said proved response z from said random number r, said randomized inquiry β' and said secret key s; wherein in said step 6 said pretender B computes, by a modulo calculation, said derandomized proved response z' from said proved response z and said random components; and wherein in said step 7 said verifier C makes said check by determining whether a value, obtained by a modulo calculation from said public number g, said derandomized proved response z', said inquiry β and said public information x, matches with said randomized initial response x" received from said pretender B.
 10. The authentication system of claim 2, wherein in said step 1 said prover A generates t random number r_(i) and computes, by a modulo calculation, t initial responses x'_(i) from the r_(i) -th powers, r_(i) being said random numbers, of a public number g where t is an integer greater than 1 and i=1, 2, . . . , t.wherein in said step 2 said signature client B computes, by a modulo calculation, t randomized initial responses x"_(i) from said t initial responses x'_(i), said random components, a public number g and public information x; wherein in said step 3 said signature client B computes, by β_(i) =f(m, x"_(i)), t inquiries β_(i) from said t randomized initial responses x"_(i) and said message m and creates, by a modulo calculation, t randomized inquiries β'_(i) from said inquiries β_(i) and said random components, f being a one-way function; wherein in said step 4 said prover A creates, by a modulo calculation, t proved responses z_(i) from said random number r_(i), said randomized inquiries β'_(i) and said secret key s; wherein in said step 5 said signature client B creates, by a modulo calculation, t derandomized proved responses z'_(i) from said t proved responses z_(i), and said random components; and wherein in said step 6 said verifier C performs a modulo calculation for said public number g, said t derandomized proved responses z'_(i), said t inquiries β_(i) and said public information x to obtain t values x*_(i) and makes said check by determining whether or not each information f(m, x*_(i)), obtained by applying said message m and said t values x* to said one-way function f, matches with the corresponding one of said inquiries β.
 11. The authentication system of claim 1, 3, 5, 7 or 9, wherein a sequence of said steps 1 to 7 is repeated a plurality of times each for newly crated said random number r, said initial response x', said random components and said inquiry β.
 12. The authentication system of claim 1, 3, 5, 7 or 9, wherein each of said steps 1 to 7 is repeated a plurality of times each for newly created said random number r, said initial response x', said random components and said inquiry β.
 13. The authentication system of claim 3, 5, or 7, wherein said modulo calculations in said steps 1, 2, 5, 6 and 7 are each a modulo N calculation for said public number N.
 14. The authentication system of claim 9, wherein said modulo calculations in said steps 1, 2, and 7 are each a modulo P calculation for a public prime P and said modulo calculations in said steps 5 and 6 are each a modulo (P-1) calculation for (P-1) and wherein said secret key s satisfies g^(s) mod P=x.
 15. The authentication system of claim 4, 6 or 8, wherein said modulo calculations in said steps 1, 2, 4, 5 and 6 are each a modulo N calculation for said public number N.
 16. The authentication system of claim 10, wherein said modulo calculations in said steps 1, 2 and 6 are each a modulo calculation P for a public prime P and said modulo calculations in said steps 4 and 5 are each a modulo (P-1) calculation for (P-1), and wherein said secret key s satisfies g^(s) mod P=x.
 17. The authentication system of claim 3, 4, 7, or 8, wherein said public information x is obtained from operation of x=f(ID) by applying personal identifying information ID of said prover A to said one-way function f.
 18. The authentication system of claim 5 or 6, wherein said k pieces of public information x_(j) are obtained from operation of x_(j) =f(ID, j) by applying personal identifying information ID of said prover A to said one-way function f.
 19. A signature client device for a message authentication system in which a prover A proves the validity of a message of a signature client B to a verifier C, said device comprising:random generator means for generating random components; initial response randomizer means wherein an initial response x' input from said prover A is randomized with said random components from said randomizer means to output a randomized initial response x"; inquiry generator means which outputs an inquiry β created by an operation from said randomized initial response x" from said initial response randomizer means and a message m, and outputs a randomized inquiry β' obtained by randomizing said inquiry β with said random components; and derandomizer means which receives a proved response z from said prover A and said random components from said random generator means, eliminates the influence of said random components from said proved response z, and out puts a derandomized proved response z'; wherein said message m, said inquiry 8 and said derandomized proved response z' are sent to said verifier C for verification.
 20. The signature client device of claim 17, wherein said initial response randomizer means includes modulo calculating means which performs a modulo N calculation using at least said initial response x', said random components and public information x, thereby creating said randomized initial response x", where N is a product of at least two secret primes.
 21. The signature client unit of claim 20, including one-way function means which receives personal identifying information ID of said prover A, performs an operation of x=f(ID) by use of a one-way function f and outputs said public information x.
 22. The signature client device of claim 19 or 20, wherein said inquiry generator means includes means which performs a modulo calculation of the sum of said inquiry β and said random component and outputs the result of said calculation as said randomized inquiry β'.
 23. The signature client device of claim 19, wherein said initial response randomizer means include modulo calculation means which performs a modulo P calculation for a public prime P on the basis of said initial response x', said random components and said public information x, thereby producing said randomized initial response x".
 24. The signature client device of claim 19, 20 or 23, wherein said inquiry generator means includes one-way function generator means which receives said message m and said randomized initial response x", operates β=f(m, x") with a one-way function f and out-puts said inquiry β.
 25. The signature client device of claim 19, 20, 21, or 23 wherein said inquiry generator means includes means for computing said randomized inquiry β' by a calculation of modulo 2 of said inquiry β and said random component.
 26. The signature client device of claim 20 or 21, wherein said derandomizer means which performs a modulo N calculation for said public number N on the basis of a proved response z received from said prover A, said random components and said public information and outputs said derandomized proved response z'.
 27. The signature client device of claim 23, wherein said derandomizer means includes means which performs a modulo (P-1) calculation for said public prime P on the basis of said proved response z received from said prover A and said random components and outputs said derandomized proved response z'.
 28. The signature client device of claim 19, wherein said random generator means is a means for generating, as said random components, t sets of a random bit e_(i) and an arbitray random number u_(i) where t is an integer greater than 1 and i=1, 2, . . . , t;wherein said initial response randomizer means is a means which receives said t sets of random components e_(i) and u_(i), said public information x and said initial response x' received from said prover A and creates t randomized initial responses x"_(i) by performing the following modulo N calculation for public number N:

    x".sub.i=u 2.sub.i ·x.sup.-e.sbsp.i ·x'.sub.i (mod N)

said public number N being the product of two secret primes; wherein said inquiry generator means includes one-way function means which receives said message m and said randomized initial responses x"_(i), calculates β_(i) =f(m, x"_(i)) with a one-way function f and outputs said inquiry β_(i), and modulo calculation means which receives said inquiries β_(i) and said random components e_(i), calculates β_(i) +e_(i) mod 2, and outputs said randomized inquiries β'_(i) ; and wherein said derandomizer means is a means which receives said random components e_(i) and u_(i) , said inquiries β_(i), said public information x, said public number N and said proved responses z_(i) received from said prover A and computes said derandomized proved responses z'_(i) by ##EQU14##
 29. The signature client device of claim 19, wherein said random generator means is a means for generating, as said random components, t sets of k random bits e_(ij) and t arbitrary random numbers u_(i), where j=1, 2, . . . , k, k being an integer greater than 1;wherein said initial response randomizer means is a means which receives said k random components e_(ij) and u_(i) , k pieces of public information x_(j) and said initial responses x'_(i) and produces said t randomized initial responses x"_(i) by the following modulo N calculation for said public number N:

    x".sub.i =x'.sub.i u.sub.i.sup.2 e.sub.ij.sup. =l.sup.x j.sup.(mod N),

where i=1, 2, . . . , t, and j=1, 2, . . . , k, said public number N being the product of two secret primes; wherein said inquiry generator means includes one-way function means which receives said message m and said randomized initial responses x"_(i), calculates β_(ij) =f(m, x"_(i)) with a one-way function f and outputs said inquiries β_(ij), and modulo calculation means which receives said inquiries β_(ij) and said random components e_(ij), calculates

    β'.sub.ij =e.sub.ij +β.sub.ij (mod 2)

and outputs said randomized inquiries β'_(ij) ; and wherein said derandomizer means includes logical product means which receives said random components e_(ij) and said inquiries β_(ij) and calculates their logical products c_(ij) =β_(ij) ·e_(ij), and a means which receives said random components u_(i), said logical products c_(ij), said public information x_(i), said public number N and said proved responses z_(i) received from said prover A and computing said derandomized proved responses z'_(i) by ##EQU15## where i=1, 2, . . . , t and j=1, 2, . . . k.
 30. The signature client device of claim 19, wherein said random generator means is a means for generating, as said t random components, random numbers e_(i) ε{0, 1, . . . , L-1} and random numbers u_(i) ε{1, 2, . . . , N-1}, where i=1, 2, . . . , t, N being a public number that is the product of two primes and L an public integer;wherein said initial response randomizer means is a means which receives said random components r_(i) and u_(i), public information x and said initial response x' received from said prover A and produces said randomized responses x"_(i) by the following modulo N calculation:

    x".sub.i =x'.sub.i ·u.sub.i.sup.L ·x.sup.e.sbsp.i (mod N)

wherein said inquiry generator means includes one-way function means which receives said message m and said randomized initial responses x"_(i), computes {β_(i) =f(m, x"_(i) . . . , x"_(t)) with a one-way function f and outputs said inquiries β_(i) and modulo calculation means which receives said inquiries β_(i) and said random components e_(i), calculates

    β'.sub.i =e.sub.i +β.sub.i (mod L)

and outputs said randomized inquiries β'_(i) ; and wherein said derandomizer means is a means which receives said random components e_(i) and u_(i), said inquiries β_(i), said public information x, said public number N and said proved responses z_(i) received from said prover A and computes said derandomized proved responses z'_(i) by ##EQU16##
 31. The signature client device of claim 19, wherein said random generator means is a means which generates, as said random components, t sets of a random bit e_(i) and an arbitray random number u_(i), where t is an integer equal to or greater than 1, i=1, 2, . . . , t, and 0≦u_(i) ≦P-2, P being a public prime;wherein said initial response randomizer means is a means which receives said random components e_(i) and u_(i), public information x, a public number g and said initial responses x'_(i) supplied from said prover A and generates said t randomized initial responses x"_(i) by the following modulo P calculation:

    x".sub.i =g.sup.u.sbsp.i ·x.sup.e.sbsp.i ·x.sub.i.sup.1-2e.sbsp.i (mod P)

wherein said inquiry generator means includes a means which receives said message m and said randomized initial responses x"_(i) and outputs said inquiry β_(i) by calculating {β_(i) }=f(m, x"_(i), . . . , x"_(t)) with a one-way function 5, and modulo calculation means which receives said inquiries β_(i) and said random components e_(i), performs a modulo 2 calculation of their sum and outputs the results of calculation as said randomized inquiries β_(i) '; and wherein said derandomizer means is a means which receives said random components e_(i) and u_(i), said proved responses z_(i) and said public number P and computes said derandomized proved responses z'_(i) by

    z'.sub.i =u.sub.i +z'.sub.i.sup.1-2.sbsp.e i(mod P-1). 